Skip to content

Commit

Permalink
feat: gomod direct detection (#1354)
Browse files Browse the repository at this point in the history 
* First draft

Signed-off-by: Prabhu Subramanian <[email protected]>

* Work hard to set component scope while parsing go.mod manually

Signed-off-by: Prabhu Subramanian <[email protected]>

* Work hard to set component scope while parsing go.mod manually

Signed-off-by: Prabhu Subramanian <[email protected]>

* Mark go toolchains as excluded

Signed-off-by: Prabhu Subramanian <[email protected]>

* Sort go packages

Signed-off-by: Prabhu Subramanian <[email protected]>

* Specify version numbers in readme

Signed-off-by: Prabhu Subramanian <[email protected]>

* Tune down optional scope

Signed-off-by: Prabhu Subramanian <[email protected]>

* Tune down the list by omitting and excluding obvious false positives

Signed-off-by: Prabhu Subramanian <[email protected]>

* Added go mod repo tests

Signed-off-by: Prabhu Subramanian <[email protected]>

---------

Signed-off-by: Prabhu Subramanian <[email protected]>
  • Loading branch information
@prabhu
prabhu authored Sep 4, 2024
1 parent e09608e commit 2335d6d
Show file tree
Hide file tree
Showing 20 changed files with 6,958 additions and 162 deletions.
8 changes: 8 additions & 0 deletions .github/workflows/repotests.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -303,6 +303,14 @@ jobs:
run: |
FETCH_LICENSE=false bin/cdxgen.js -p -r -t go repotests/shiftleft-go-example -o bomresults/bom-go.json --validate --export-proto
shell: bash
- name: repotests go mod tests
run: |
mkdir -p gomod-example
cd gomod-example
curl -LO https://raw.githubusercontent.com/anchore/syft/main/go.mod
cd ..
bin/cdxgen.js -p -r -t go gomod-example -o bomresults/bom-gomod.json -p
shell: bash
- name: repotests vulnerable_net_core
run: |
FETCH_LICENSE=true bin/cdxgen.js -p -r -t csharp repotests/vulnerable_net_core -o bomresults/bom-csharp2.json --include-formulation
Expand Down
1 change: 1 addition & 0 deletions ADVANCED.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -138,6 +138,7 @@ Below are some example commands to create an SBOM for a spring application and p
.print
.search spring
.query components[name ~> /spring/ and scope = "required"]
.query components[scope='required'].purl
// Supplier names
.query $distinct(components.supplier.name)
.sort name
Expand Down
14 changes: 7 additions & 7 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,7 @@ Sections include:
## Installing

```shell
npm install -g @cyclonedx/cdxgen
npm install -g @cyclonedx/cdxgen@10.9.6
```

If you are a [Homebrew][homebrew-homepage] user, you can also install [cdxgen][homebrew-cdxgen] via:
Expand All @@ -72,28 +72,28 @@ deno install --allow-read --allow-env --allow-run --allow-sys=uid,systemMemoryIn

You can also use the cdxgen container image with node, deno, or bun runtime versions.

The default version uses Node.js 20
The default version uses Node.js 22

```bash
docker run --rm -v /tmp:/tmp -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen -r /app -o /app/bom.json
docker run --rm -v /tmp:/tmp -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen:master -r /app -o /app/bom.json
```

To use the deno version, use `ghcr.io/cyclonedx/cdxgen-deno` as the image name.

```bash
docker run --rm -v /tmp:/tmp -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen-deno -r /app -o /app/bom.json
docker run --rm -v /tmp:/tmp -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen-deno:master -r /app -o /app/bom.json
```

For the bun version, use `ghcr.io/cyclonedx/cdxgen-bun` as the image name.

```bash
docker run --rm -v /tmp:/tmp -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen-bun -r /app -o /app/bom.json
docker run --rm -v /tmp:/tmp -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen-bun:master -r /app -o /app/bom.json
```

In deno applications, cdxgen could be directly imported without any conversion. Please see the section on [integration as a library](#integration-as-library)

```ts
import { createBom, submitBom } from "npm:@cyclonedx/cdxgen@^9.0.1";
import { createBom, submitBom } from "npm:@cyclonedx/cdxgen@^10.9.6";
```

## Getting Help
Expand Down Expand Up @@ -403,7 +403,7 @@ To generate test public/private key pairs, you can run cdxgen by passing the arg
Use the bundled `cdx-verify` command, which supports verifying a single signature added at the bom level.

```shell
npm install -g @cyclonedx/cdxgen
npm install -g @cyclonedx/cdxgen@10.9.6
cdx-verify -i bom.json --public-key public.key
```

Expand Down
5 changes: 1 addition & 4 deletions docs/CLI.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,10 +21,7 @@ flowchart LR
## Installing

```shell
sudo npm install -g @cyclonedx/cdxgen

# For CycloneDX 1.4 compatibility use version 8.6.0 or pass the argument `--spec-version 1.4`
sudo npm install -g @cyclonedx/[email protected]
sudo npm install -g @cyclonedx/[email protected]
```

If you are a [Homebrew](https://brew.sh/) user, you can also install [cdxgen](https://formulae.brew.sh/formula/cdxgen) via:
Expand Down
2 changes: 1 addition & 1 deletion docs/ENV.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ The following environment variables are available to configure the bom generatio
| PREFER_MAVEN_DEPS_TREE | Use maven `dependency:tree` command instead of the cyclonedx maven plugin |
| MAVEN_CENTRAL_URL | Specify URL of Maven Central for metadata fetching (e.g. when private repo is used) |
| ANDROID_MAVEN_URL | Specify URL of Android Maven Repository for metadata fetching (e.g. when private repo is used) |
| BAZEL_ARGS | Additional arguments for Bazel command. Eg: --bazelrc=bazelrc.remote |
| BAZEL_ARGS | Additional arguments for Bazel command. Eg: --bazelrc=bazelrc.remote |
| BAZEL_TARGET | Bazel target to build. Default :all (Eg: //java-maven) |
| BAZEL_STRIP_MAVEN_PREFIX | Strip Maven group prefix (e.g. useful when private repo is used, defaults to `/maven2/`) |
| BAZEL_USE_ACTION_GRAPH | SBOM for specific Bazel target, uses `bazel aquery 'outputs(".*.jar", deps(<BAZEL_TARGET>))'` (defaults to `false`) |
Expand Down
12 changes: 3 additions & 9 deletions docs/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,10 +9,7 @@ cdxgen is available as an npm package, container image, and single application e
## Installation

```shell
sudo npm install -g @cyclonedx/cdxgen

# For CycloneDX 1.4 compatibility use version 8.6.0 or pass the argument `--spec-version 1.4`
sudo npm install -g @cyclonedx/[email protected]
sudo npm install -g @cyclonedx/[email protected]
```

If you are a [Homebrew](https://brew.sh/) user, you can also install [cdxgen](https://formulae.brew.sh/formula/cdxgen) via:
Expand Down Expand Up @@ -66,10 +63,7 @@ cdxgen -t c -o bom.json
## Installation

```shell
sudo npm install -g @cyclonedx/cdxgen

# For CycloneDX 1.4 compatibility use version 8.6.0 or pass the argument `--spec-version 1.4`
sudo npm install -g @cyclonedx/[email protected]
sudo npm install -g @cyclonedx/[email protected]
```

## Usage
Expand Down Expand Up @@ -243,7 +237,7 @@ To generate test public/private key pairs, you can run cdxgen by passing the arg
Use the bundled `cdx-verify` command, which supports verifying a single signature added at the bom level.

```shell
npm install -g @cyclonedx/cdxgen
npm install -g @cyclonedx/cdxgen@10.9.6
cdx-verify -i bom.json --public-key public.key
```

Expand Down
Loading

0 comments on commit 2335d6d

Please sign in to comment.